From a9f19a0bdf411e25c72a5932117a529c4a7315ad Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Date: Tue, 8 Aug 2023 09:01:36 +0200
Subject: [PATCH 1/5] switch to ghcr images

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---
 molecule/mysql_hardening/molecule.yml            | 2 +-
 molecule/nginx_hardening/molecule.yml            | 2 +-
 molecule/os_hardening/molecule.yml               | 4 ++--
 molecule/ssh_hardening/molecule.yml              | 2 +-
 molecule/ssh_hardening_custom_tests/molecule.yml | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml
index e1f8a3275..b4bf6db2f 100644
--- a/molecule/mysql_hardening/molecule.yml
+++ b/molecule/mysql_hardening/molecule.yml
@@ -8,7 +8,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+    image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml
index d854d08da..a722c8936 100644
--- a/molecule/nginx_hardening/molecule.yml
+++ b/molecule/nginx_hardening/molecule.yml
@@ -7,7 +7,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+    image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml
index 31fdc6be7..c8a41b4bf 100644
--- a/molecule/os_hardening/molecule.yml
+++ b/molecule/os_hardening/molecule.yml
@@ -2,8 +2,8 @@
 driver:
   name: docker
 platforms:
-  - name: instance
-    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+  - name: instance-${MOLECULE_DISTRO}
+    image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml
index 591a5a514..e35ca16d9 100644
--- a/molecule/ssh_hardening/molecule.yml
+++ b/molecule/ssh_hardening/molecule.yml
@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+    image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml
index 31fdc6be7..f834c81a5 100644
--- a/molecule/ssh_hardening_custom_tests/molecule.yml
+++ b/molecule/ssh_hardening_custom_tests/molecule.yml
@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+    image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw

From 8220ae9da0aad5d6329d1cfbad758a98e26b3c74 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Date: Tue, 8 Aug 2023 09:04:30 +0200
Subject: [PATCH 2/5] fix linting errors

---
 molecule/os_hardening/prepare.yml             | 24 +++++-----
 molecule/os_hardening/verify.yml              | 30 ++++++-------
 molecule/os_hardening/verify_tasks/netrc.yml  | 10 ++---
 molecule/os_hardening/verify_tasks/pam.yml    | 45 +++++++++----------
 .../verify_tasks/sys_account_shell.yml        |  5 ++-
 molecule/os_hardening/verify_tasks/yum.yml    |  4 +-
 molecule/os_hardening_vm/verify_tasks/pam.yml |  1 +
 7 files changed, 60 insertions(+), 59 deletions(-)

diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
index 5479be75d..947aa85d4 100644
--- a/molecule/os_hardening/prepare.yml
+++ b/molecule/os_hardening/prepare.yml
@@ -1,5 +1,5 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
+- name: Wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
   hosts: all
   become: true
   environment:
@@ -21,18 +21,18 @@
 
     - name: install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
-      shell: "zypper -n install python-xml"
+      ansible.builtin.shell: zypper -n install python-xml
       when: ansible_facts.os_family == 'Suse'
 
-    - name: install required tools on fedora
-      dnf:
+    - name: Install required tools on fedora
+      ansible.builtin.dnf:
         name:
           - python
           - findutils
           - procps-ng
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: install required tools on Arch
+    - name: Install required tools on Arch
       community.general.pacman:
         name:
           - awk
@@ -40,8 +40,8 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: install required tools on RHEL  # noqa ignore-errors
-      yum:
+    - name: Install required tools on RHEL # noqa ignore-errors
+      ansible.builtin.yum:
         name:
           - openssh-clients
           - openssh
@@ -49,15 +49,15 @@
         update_cache: true
       ignore_errors: true
 
-    - name: create recursing symlink to test minimize access
-      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+    - name: Create recursing symlink to test minimize access
+      ansible.builtin.shell: rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz
       changed_when: false
 
-    - name: include YUM prepare tasks
-      include_tasks: prepare_tasks/yum.yml
+    - name: Include YUM prepare tasks
+      ansible.builtin.include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: include preparation tasks
+    - name: Include preparation tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
       loop:
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index c890eb3f0..807449097 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -7,14 +7,14 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: set ansible_python_interpreter to "/usr/bin/python3"
-      set_fact:
-        ansible_python_interpreter: "/usr/bin/python3"
+    - name: Set ansible_python_interpreter to "/usr/bin/python3"
+      ansible.builtin.set_fact:
+        ansible_python_interpreter: /usr/bin/python3
 
-    - name: include verification tasks
+    - name: Include verification tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
-      loop: 
+      loop:
         - verify_tasks/sys_account_shell.yml
         - verify_tasks/pw_ageing.yml
         - verify_tasks/netrc.yml
@@ -37,7 +37,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
@@ -51,12 +51,12 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
-        msg: "Inspec failed to validate"
+      ansible.builtin.fail:
+        msg: Inspec failed to validate
       when: test_results.rc != 0
 
 - name: Verify
@@ -70,15 +70,15 @@
     - devsec.hardening
   tasks:
     # test if variable can be overridden
-    - name: workaround for https://github.com/ansible/ansible/issues/66304
-      set_fact:
-        ansible_virtualization_type: "docker"
+    - name: Workaround for https://github.com/ansible/ansible/issues/66304
+      ansible.builtin.set_fact:
+        ansible_virtualization_type: docker
         os_env_umask: "027 #override"
 
-    - include_role:
+    - ansible.builtin.include_role:
         name: os_hardening
 
-    - name: verify os_env_umask
-      shell:
+    - name: Verify os_env_umask
+      ansible.builtin.shell:
         cmd: "grep '027 #override' /etc/login.defs"
       changed_when: false
diff --git a/molecule/os_hardening/verify_tasks/netrc.yml b/molecule/os_hardening/verify_tasks/netrc.yml
index cee31463d..7e27aebe6 100644
--- a/molecule/os_hardening/verify_tasks/netrc.yml
+++ b/molecule/os_hardening/verify_tasks/netrc.yml
@@ -1,19 +1,19 @@
 ---
 - name: test that .netrc in root homedir exists
   ansible.builtin.file:
-    path: '/root/.netrc'
+    path: /root/.netrc
     state: file
   register: result_test_netrc
 
 - name: output result if .netrc for user root exists
   ansible.builtin.assert:
     that:
-      - "result_test_netrc.state == 'file'"
-    fail_msg: ".netrc in /root/ not present"
-    success_msg: ".netrc exists in /root/"
+      - result_test_netrc.state == 'file'
+    fail_msg: .netrc in /root/ not present
+    success_msg: .netrc exists in /root/
 
 - name: delete '.netrc' in /root
   ansible.builtin.file:
-    path: '/root/.netrc'
+    path: /root/.netrc
     state: absent
   when: result_test_netrc.state == 'file'
diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml
index c71cae010..4f9584490 100644
--- a/molecule/os_hardening/verify_tasks/pam.yml
+++ b/molecule/os_hardening/verify_tasks/pam.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: install pip
-  package:
+- name: Install pip
+  ansible.builtin.package:
     name:
       - python3-pip
       - python3-setuptools
     state: present
 
-- name: install pam-tester
+- name: Install pam-tester
   ansible.builtin.pip:
     name: pam-tester
     state: present
@@ -17,50 +16,50 @@
   set_fact:
     test_pw: "myTest!pw"
 
-- name: set locale for test
-  set_fact:
-    locale: "en_US.UTF-8"
+- name: Set locale for test
+  ansible.builtin.set_fact:
+    locale: en_US.UTF-8
   when:
     - ansible_facts.os_family == 'RedHat'
     - ansible_facts.distribution_major_version < '8'
 
-- name: create testuser
-  user:
+- name: Create testuser
+  ansible.builtin.user:
     name: testuser
     password: "{{ test_pw | password_hash('sha512') }}"
 
-- name: check successful login with correct password
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
+- name: Check successful login with correct password
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
-- name: check unsuccessful login with incorrect password
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
+- name: Check unsuccessful login with incorrect password
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
   with_sequence: count=6
 
-- name: check unsuccessful login, with correct password (lockout)
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
+- name: Check unsuccessful login, with correct password (lockout)
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
-- name: wait for account to unlock
-  pause:
+- name: Wait for account to unlock
+  ansible.builtin.pause:
     seconds: 20
 
-- name: check successful login
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
+- name: Check successful login
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
diff --git a/molecule/os_hardening/verify_tasks/sys_account_shell.yml b/molecule/os_hardening/verify_tasks/sys_account_shell.yml
index e44c197c2..731519783 100644
--- a/molecule/os_hardening/verify_tasks/sys_account_shell.yml
+++ b/molecule/os_hardening/verify_tasks/sys_account_shell.yml
@@ -1,8 +1,9 @@
+---
 - name: Read local linux user database
-  getent:
+  ansible.builtin.getent:
     database: passwd
 
 - name: Check that shell_sys_acc's shell is still bash
-  assert:
+  ansible.builtin.assert:
     that:
       - getent_passwd['shell_sys_acc'][5] == "/bin/bash"
diff --git a/molecule/os_hardening/verify_tasks/yum.yml b/molecule/os_hardening/verify_tasks/yum.yml
index 15afbbf20..dc89f6b25 100644
--- a/molecule/os_hardening/verify_tasks/yum.yml
+++ b/molecule/os_hardening/verify_tasks/yum.yml
@@ -1,8 +1,8 @@
 ---
 - name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
-  command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
+  ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
   changed_when: false
 
 - name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
-  command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
+  ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
   changed_when: false
diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml
index bfbb7a3b1..f0c23c23c 100644
--- a/molecule/os_hardening_vm/verify_tasks/pam.yml
+++ b/molecule/os_hardening_vm/verify_tasks/pam.yml
@@ -10,6 +10,7 @@
   ansible.builtin.pip:
     name: pam-tester
     state: present
+    executable: /usr/bin/pip3
 
 - name: set password for test
   set_fact:

From f1ec9f2c785e369422cc82f1e22ddfb6250ff05d Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Date: Tue, 8 Aug 2023 09:05:02 +0200
Subject: [PATCH 3/5] install python3, pip so we can then install pam-tester

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---
 molecule/os_hardening/prepare.yml          | 19 +++++++++----------
 molecule/os_hardening/verify.yml           | 13 ++++++-------
 molecule/os_hardening/verify_tasks/pam.yml |  6 +++---
 3 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
index 947aa85d4..866960d63 100644
--- a/molecule/os_hardening/prepare.yml
+++ b/molecule/os_hardening/prepare.yml
@@ -7,19 +7,18 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
-      set_fact:
-        ansible_python_interpreter: "/usr/bin/python3"
-      when: ansible_facts.distribution == 'Fedora'
-
-    - name: Run the equivalent of "apt-get update && apt-get upgrade"
-      apt:
-        name: "*"
-        state: latest
+    - name: Install Python3 on Debian 10
+      ansible.builtin.apt:
+        name: python3
+        state: present
         update_cache: true
       when: ansible_os_family == 'Debian'
 
-    - name: install required tools on SuSE
+    - name: Set ansible_python_interpreter to "/usr/bin/python3"
+      ansible.builtin.set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+
+    - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
       ansible.builtin.shell: zypper -n install python-xml
       when: ansible_facts.os_family == 'Suse'
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index 807449097..7986ebfd3 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -20,15 +20,14 @@
         - verify_tasks/netrc.yml
         - verify_tasks/ignore_home_folders.yml
 
-# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
-#    - name: include PAM tests
-#      include_tasks: verify_tasks/pam.yml
-#      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
-
-    - name: include YUM tests
-      include_tasks: verify_tasks/yum.yml
+    - name: Include YUM tests
+      ansible.builtin.include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
+    - name: Include PAM tests
+      ansible.builtin.include_tasks: verify_tasks/pam.yml
+      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
+
 - name: Verify
   hosts: localhost
   environment:
diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml
index 4f9584490..fee7ade07 100644
--- a/molecule/os_hardening/verify_tasks/pam.yml
+++ b/molecule/os_hardening/verify_tasks/pam.yml
@@ -12,9 +12,9 @@
     state: present
     executable: /usr/bin/pip3
 
-- name: set password for test
-  set_fact:
-    test_pw: "myTest!pw"
+- name: Set password for test
+  ansible.builtin.set_fact:
+    test_pw: myTestpwSage
 
 - name: Set locale for test
   ansible.builtin.set_fact:

From 5e6164abb19533573de8e64a8f4982a35572f731 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@telekom.de>
Date: Tue, 8 Aug 2023 09:36:09 +0200
Subject: [PATCH 4/5] use full path for pam-tester in os_hardening_vm tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
---
 molecule/os_hardening_vm/verify_tasks/pam.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml
index f0c23c23c..c71cae010 100644
--- a/molecule/os_hardening_vm/verify_tasks/pam.yml
+++ b/molecule/os_hardening_vm/verify_tasks/pam.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: install pip
   package:
     name:
@@ -30,7 +31,7 @@
 
 - name: check successful login with correct password
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
@@ -38,7 +39,7 @@
 
 - name: check unsuccessful login with incorrect password
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
@@ -47,7 +48,7 @@
 
 - name: check unsuccessful login, with correct password (lockout)
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
@@ -59,7 +60,7 @@
 
 - name: check successful login
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"

From cbab91c42383a2b7ce63cefe44476438ea18754d Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@telekom.de>
Date: Tue, 8 Aug 2023 13:27:28 +0200
Subject: [PATCH 5/5] remove local test

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
---
 molecule/os_hardening/molecule.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml
index c8a41b4bf..f834c81a5 100644
--- a/molecule/os_hardening/molecule.yml
+++ b/molecule/os_hardening/molecule.yml
@@ -2,7 +2,7 @@
 driver:
   name: docker
 platforms:
-  - name: instance-${MOLECULE_DISTRO}
+  - name: instance
     image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes: